Analysis
-
max time kernel
103s -
max time network
135s -
platform
windows10_x64 -
resource
win10 -
submitted
31-07-2020 10:26
Static task
static1
Behavioral task
behavioral1
Sample
6ebc441b966301fb0df9e020409349b4.exe
Resource
win7v200722
Behavioral task
behavioral2
Sample
6ebc441b966301fb0df9e020409349b4.exe
Resource
win10
General
-
Target
6ebc441b966301fb0df9e020409349b4.exe
-
Size
804KB
-
MD5
6ebc441b966301fb0df9e020409349b4
-
SHA1
0e241c16dfc4b0e3b918c86a0ae39bdaff7fd81f
-
SHA256
286c2eb8755215619d8cb48cc884091251729d5925b74444fe3b62c2c1a5acb5
-
SHA512
9d498a7db1b3abfd4ea06ded88bc9cf245b7a6bd7dcbf97612a525350291f2c616381b54c055afb7bc3e15c3b6103fd49fdb18c69d6fd38fca018c5976728270
Malware Config
Extracted
C:\Users\Admin\AppData\LocalLow\machineinfo.txt
raccoon
Extracted
azorult
http://195.245.112.115/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Contains code to disable Windows Defender 2 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule behavioral2/memory/1136-126-0x0000000000400000-0x0000000000408000-memory.dmp disable_win_def behavioral2/memory/1136-129-0x0000000000403BEE-mapping.dmp disable_win_def -
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Raccoon log file 1 IoCs
Detects a log file produced by the Raccoon Stealer.
Processes:
yara_rule raccoon_log_file -
Downloads MZ/PE file
-
Executes dropped EXE 13 IoCs
Processes:
POvnsqt.exeOfdsnswq.exePOvnsqt.exeOfdsnswq.exeac.exerc.exeds2.exeds1.exezTkUsfmOzZ.exeBgjGTXOHLB.exe7we2KHe8qk.exe1Yo1uoKw59.exe1Yo1uoKw59.exepid process 3848 POvnsqt.exe 3928 Ofdsnswq.exe 3508 POvnsqt.exe 4036 Ofdsnswq.exe 3856 ac.exe 3492 rc.exe 1652 ds2.exe 1828 ds1.exe 2636 zTkUsfmOzZ.exe 2820 BgjGTXOHLB.exe 3016 7we2KHe8qk.exe 496 1Yo1uoKw59.exe 1136 1Yo1uoKw59.exe -
Loads dropped DLL 15 IoCs
Processes:
6ebc441b966301fb0df9e020409349b4.exeOfdsnswq.exePOvnsqt.exepid process 2892 6ebc441b966301fb0df9e020409349b4.exe 4036 Ofdsnswq.exe 4036 Ofdsnswq.exe 4036 Ofdsnswq.exe 2892 6ebc441b966301fb0df9e020409349b4.exe 2892 6ebc441b966301fb0df9e020409349b4.exe 2892 6ebc441b966301fb0df9e020409349b4.exe 2892 6ebc441b966301fb0df9e020409349b4.exe 2892 6ebc441b966301fb0df9e020409349b4.exe 2892 6ebc441b966301fb0df9e020409349b4.exe 2892 6ebc441b966301fb0df9e020409349b4.exe 3508 POvnsqt.exe 3508 POvnsqt.exe 3508 POvnsqt.exe 3508 POvnsqt.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
1Yo1uoKw59.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 1Yo1uoKw59.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 1Yo1uoKw59.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 1 IoCs
Processes:
6ebc441b966301fb0df9e020409349b4.exedescription ioc process File created C:\Users\Admin\AppData\LocalLow\cr6im03b56g32r\desktop.ini 6ebc441b966301fb0df9e020409349b4.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
6ebc441b966301fb0df9e020409349b4.exePOvnsqt.exeOfdsnswq.exe1Yo1uoKw59.exedescription pid process target process PID 976 set thread context of 2892 976 6ebc441b966301fb0df9e020409349b4.exe 6ebc441b966301fb0df9e020409349b4.exe PID 3848 set thread context of 3508 3848 POvnsqt.exe POvnsqt.exe PID 3928 set thread context of 4036 3928 Ofdsnswq.exe Ofdsnswq.exe PID 496 set thread context of 1136 496 1Yo1uoKw59.exe 1Yo1uoKw59.exe -
Drops file in Windows directory 1 IoCs
Processes:
WerFault.exedescription ioc process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3236 1652 WerFault.exe ds2.exe 1604 1828 WerFault.exe ds1.exe 3840 3016 WerFault.exe 7we2KHe8qk.exe 4060 2820 WerFault.exe BgjGTXOHLB.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
POvnsqt.exeOfdsnswq.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString POvnsqt.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Ofdsnswq.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 POvnsqt.exe -
Delays execution with timeout.exe 2 IoCs
Processes:
timeout.exetimeout.exepid process 2432 timeout.exe 676 timeout.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1012 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
POvnsqt.exeds2.exeds1.exe7we2KHe8qk.exe1Yo1uoKw59.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid process 3508 POvnsqt.exe 3508 POvnsqt.exe 1652 ds2.exe 1652 ds2.exe 1652 ds2.exe 1828 ds1.exe 1828 ds1.exe 1828 ds1.exe 3016 7we2KHe8qk.exe 3016 7we2KHe8qk.exe 3016 7we2KHe8qk.exe 496 1Yo1uoKw59.exe 496 1Yo1uoKw59.exe 496 1Yo1uoKw59.exe 3236 WerFault.exe 1604 WerFault.exe 1604 WerFault.exe 3236 WerFault.exe 1604 WerFault.exe 3236 WerFault.exe 1604 WerFault.exe 3236 WerFault.exe 1604 WerFault.exe 3236 WerFault.exe 1604 WerFault.exe 3236 WerFault.exe 1604 WerFault.exe 3236 WerFault.exe 1604 WerFault.exe 3236 WerFault.exe 1604 WerFault.exe 3236 WerFault.exe 1604 WerFault.exe 3236 WerFault.exe 1604 WerFault.exe 3236 WerFault.exe 1604 WerFault.exe 3236 WerFault.exe 1604 WerFault.exe 3236 WerFault.exe 1604 WerFault.exe 3236 WerFault.exe 3840 WerFault.exe 3840 WerFault.exe 3840 WerFault.exe 3840 WerFault.exe 3840 WerFault.exe 3840 WerFault.exe 3840 WerFault.exe 3840 WerFault.exe 3840 WerFault.exe 3840 WerFault.exe 3840 WerFault.exe 3840 WerFault.exe 3840 WerFault.exe 3840 WerFault.exe 3840 WerFault.exe 4060 WerFault.exe 4060 WerFault.exe 4060 WerFault.exe 4060 WerFault.exe 4060 WerFault.exe 4060 WerFault.exe 4060 WerFault.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
6ebc441b966301fb0df9e020409349b4.exePOvnsqt.exeOfdsnswq.exepid process 976 6ebc441b966301fb0df9e020409349b4.exe 3848 POvnsqt.exe 3928 Ofdsnswq.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
taskkill.exeds2.exeds1.exe7we2KHe8qk.exe1Yo1uoKw59.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepowershell.exedescription pid process Token: SeDebugPrivilege 1012 taskkill.exe Token: SeDebugPrivilege 1652 ds2.exe Token: SeDebugPrivilege 1828 ds1.exe Token: SeDebugPrivilege 3016 7we2KHe8qk.exe Token: SeDebugPrivilege 496 1Yo1uoKw59.exe Token: SeRestorePrivilege 3236 WerFault.exe Token: SeBackupPrivilege 3236 WerFault.exe Token: SeRestorePrivilege 1604 WerFault.exe Token: SeBackupPrivilege 1604 WerFault.exe Token: SeBackupPrivilege 1604 WerFault.exe Token: SeDebugPrivilege 1604 WerFault.exe Token: SeDebugPrivilege 3236 WerFault.exe Token: SeDebugPrivilege 3840 WerFault.exe Token: SeDebugPrivilege 4060 WerFault.exe Token: SeDebugPrivilege 3440 powershell.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
6ebc441b966301fb0df9e020409349b4.exePOvnsqt.exeOfdsnswq.exepid process 976 6ebc441b966301fb0df9e020409349b4.exe 3848 POvnsqt.exe 3928 Ofdsnswq.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6ebc441b966301fb0df9e020409349b4.exePOvnsqt.exeOfdsnswq.exeOfdsnswq.execmd.exePOvnsqt.execmd.exe6ebc441b966301fb0df9e020409349b4.execmd.exe1Yo1uoKw59.exedescription pid process target process PID 976 wrote to memory of 3848 976 6ebc441b966301fb0df9e020409349b4.exe POvnsqt.exe PID 976 wrote to memory of 3848 976 6ebc441b966301fb0df9e020409349b4.exe POvnsqt.exe PID 976 wrote to memory of 3848 976 6ebc441b966301fb0df9e020409349b4.exe POvnsqt.exe PID 976 wrote to memory of 3928 976 6ebc441b966301fb0df9e020409349b4.exe Ofdsnswq.exe PID 976 wrote to memory of 3928 976 6ebc441b966301fb0df9e020409349b4.exe Ofdsnswq.exe PID 976 wrote to memory of 3928 976 6ebc441b966301fb0df9e020409349b4.exe Ofdsnswq.exe PID 976 wrote to memory of 2892 976 6ebc441b966301fb0df9e020409349b4.exe 6ebc441b966301fb0df9e020409349b4.exe PID 976 wrote to memory of 2892 976 6ebc441b966301fb0df9e020409349b4.exe 6ebc441b966301fb0df9e020409349b4.exe PID 976 wrote to memory of 2892 976 6ebc441b966301fb0df9e020409349b4.exe 6ebc441b966301fb0df9e020409349b4.exe PID 3848 wrote to memory of 3508 3848 POvnsqt.exe POvnsqt.exe PID 3848 wrote to memory of 3508 3848 POvnsqt.exe POvnsqt.exe PID 3848 wrote to memory of 3508 3848 POvnsqt.exe POvnsqt.exe PID 976 wrote to memory of 2892 976 6ebc441b966301fb0df9e020409349b4.exe 6ebc441b966301fb0df9e020409349b4.exe PID 3848 wrote to memory of 3508 3848 POvnsqt.exe POvnsqt.exe PID 3928 wrote to memory of 4036 3928 Ofdsnswq.exe Ofdsnswq.exe PID 3928 wrote to memory of 4036 3928 Ofdsnswq.exe Ofdsnswq.exe PID 3928 wrote to memory of 4036 3928 Ofdsnswq.exe Ofdsnswq.exe PID 3928 wrote to memory of 4036 3928 Ofdsnswq.exe Ofdsnswq.exe PID 4036 wrote to memory of 2020 4036 Ofdsnswq.exe cmd.exe PID 4036 wrote to memory of 2020 4036 Ofdsnswq.exe cmd.exe PID 4036 wrote to memory of 2020 4036 Ofdsnswq.exe cmd.exe PID 2020 wrote to memory of 1012 2020 cmd.exe taskkill.exe PID 2020 wrote to memory of 1012 2020 cmd.exe taskkill.exe PID 2020 wrote to memory of 1012 2020 cmd.exe taskkill.exe PID 3508 wrote to memory of 3856 3508 POvnsqt.exe ac.exe PID 3508 wrote to memory of 3856 3508 POvnsqt.exe ac.exe PID 3508 wrote to memory of 3856 3508 POvnsqt.exe ac.exe PID 3508 wrote to memory of 3492 3508 POvnsqt.exe rc.exe PID 3508 wrote to memory of 3492 3508 POvnsqt.exe rc.exe PID 3508 wrote to memory of 3492 3508 POvnsqt.exe rc.exe PID 3508 wrote to memory of 1652 3508 POvnsqt.exe ds2.exe PID 3508 wrote to memory of 1652 3508 POvnsqt.exe ds2.exe PID 3508 wrote to memory of 1652 3508 POvnsqt.exe ds2.exe PID 3508 wrote to memory of 1828 3508 POvnsqt.exe ds1.exe PID 3508 wrote to memory of 1828 3508 POvnsqt.exe ds1.exe PID 3508 wrote to memory of 1828 3508 POvnsqt.exe ds1.exe PID 3508 wrote to memory of 1528 3508 POvnsqt.exe cmd.exe PID 3508 wrote to memory of 1528 3508 POvnsqt.exe cmd.exe PID 3508 wrote to memory of 1528 3508 POvnsqt.exe cmd.exe PID 1528 wrote to memory of 2432 1528 cmd.exe timeout.exe PID 1528 wrote to memory of 2432 1528 cmd.exe timeout.exe PID 1528 wrote to memory of 2432 1528 cmd.exe timeout.exe PID 2892 wrote to memory of 2636 2892 6ebc441b966301fb0df9e020409349b4.exe zTkUsfmOzZ.exe PID 2892 wrote to memory of 2636 2892 6ebc441b966301fb0df9e020409349b4.exe zTkUsfmOzZ.exe PID 2892 wrote to memory of 2636 2892 6ebc441b966301fb0df9e020409349b4.exe zTkUsfmOzZ.exe PID 2892 wrote to memory of 2820 2892 6ebc441b966301fb0df9e020409349b4.exe BgjGTXOHLB.exe PID 2892 wrote to memory of 2820 2892 6ebc441b966301fb0df9e020409349b4.exe BgjGTXOHLB.exe PID 2892 wrote to memory of 2820 2892 6ebc441b966301fb0df9e020409349b4.exe BgjGTXOHLB.exe PID 2892 wrote to memory of 3016 2892 6ebc441b966301fb0df9e020409349b4.exe 7we2KHe8qk.exe PID 2892 wrote to memory of 3016 2892 6ebc441b966301fb0df9e020409349b4.exe 7we2KHe8qk.exe PID 2892 wrote to memory of 3016 2892 6ebc441b966301fb0df9e020409349b4.exe 7we2KHe8qk.exe PID 2892 wrote to memory of 496 2892 6ebc441b966301fb0df9e020409349b4.exe 1Yo1uoKw59.exe PID 2892 wrote to memory of 496 2892 6ebc441b966301fb0df9e020409349b4.exe 1Yo1uoKw59.exe PID 2892 wrote to memory of 496 2892 6ebc441b966301fb0df9e020409349b4.exe 1Yo1uoKw59.exe PID 2892 wrote to memory of 3424 2892 6ebc441b966301fb0df9e020409349b4.exe cmd.exe PID 2892 wrote to memory of 3424 2892 6ebc441b966301fb0df9e020409349b4.exe cmd.exe PID 2892 wrote to memory of 3424 2892 6ebc441b966301fb0df9e020409349b4.exe cmd.exe PID 3424 wrote to memory of 676 3424 cmd.exe timeout.exe PID 3424 wrote to memory of 676 3424 cmd.exe timeout.exe PID 3424 wrote to memory of 676 3424 cmd.exe timeout.exe PID 496 wrote to memory of 1136 496 1Yo1uoKw59.exe 1Yo1uoKw59.exe PID 496 wrote to memory of 1136 496 1Yo1uoKw59.exe 1Yo1uoKw59.exe PID 496 wrote to memory of 1136 496 1Yo1uoKw59.exe 1Yo1uoKw59.exe PID 496 wrote to memory of 1136 496 1Yo1uoKw59.exe 1Yo1uoKw59.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ebc441b966301fb0df9e020409349b4.exe"C:\Users\Admin\AppData\Local\Temp\6ebc441b966301fb0df9e020409349b4.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\POvnsqt.exe"C:\Users\Admin\AppData\Local\Temp\POvnsqt.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\POvnsqt.exe"C:\Users\Admin\AppData\Local\Temp\POvnsqt.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ac.exe"C:\Users\Admin\AppData\Local\Temp\ac.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\rc.exe"C:\Users\Admin\AppData\Local\Temp\rc.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\ds2.exe"C:\Users\Admin\AppData\Local\Temp\ds2.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 9565⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\ds1.exe"C:\Users\Admin\AppData\Local\Temp\ds1.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 9565⤵
- Drops file in Windows directory
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "POvnsqt.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exeC:\Windows\system32\timeout.exe 35⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\Ofdsnswq.exe"C:\Users\Admin\AppData\Local\Temp\Ofdsnswq.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Ofdsnswq.exe"C:\Users\Admin\AppData\Local\Temp\Ofdsnswq.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /pid 4036 & erase C:\Users\Admin\AppData\Local\Temp\Ofdsnswq.exe & RD /S /Q C:\\ProgramData\\205642378413345\\* & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /pid 40365⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\6ebc441b966301fb0df9e020409349b4.exe"C:\Users\Admin\AppData\Local\Temp\6ebc441b966301fb0df9e020409349b4.exe"2⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\zTkUsfmOzZ.exe"C:\Users\Admin\AppData\Local\Temp\zTkUsfmOzZ.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\BgjGTXOHLB.exe"C:\Users\Admin\AppData\Local\Temp\BgjGTXOHLB.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 11604⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\7we2KHe8qk.exe"C:\Users\Admin\AppData\Local\Temp\7we2KHe8qk.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 9564⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1Yo1uoKw59.exe"C:\Users\Admin\AppData\Local\Temp\1Yo1uoKw59.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1Yo1uoKw59.exe"{path}"4⤵
- Executes dropped EXE
- Windows security modification
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\6ebc441b966301fb0df9e020409349b4.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK4⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA8ED.tmp.WERInternalMetadata.xml
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA8ED.tmp.WERInternalMetadata.xml
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288B
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288B
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1Yo1uoKw59.exe.log
-
C:\Users\Admin\AppData\Local\Temp\1Yo1uoKw59.exe
-
C:\Users\Admin\AppData\Local\Temp\1Yo1uoKw59.exe
-
C:\Users\Admin\AppData\Local\Temp\1Yo1uoKw59.exe
-
C:\Users\Admin\AppData\Local\Temp\7we2KHe8qk.exe
-
C:\Users\Admin\AppData\Local\Temp\7we2KHe8qk.exe
-
C:\Users\Admin\AppData\Local\Temp\BgjGTXOHLB.exe
-
C:\Users\Admin\AppData\Local\Temp\BgjGTXOHLB.exe
-
C:\Users\Admin\AppData\Local\Temp\Ofdsnswq.exe
-
C:\Users\Admin\AppData\Local\Temp\Ofdsnswq.exe
-
C:\Users\Admin\AppData\Local\Temp\Ofdsnswq.exe
-
C:\Users\Admin\AppData\Local\Temp\POvnsqt.exe
-
C:\Users\Admin\AppData\Local\Temp\POvnsqt.exe
-
C:\Users\Admin\AppData\Local\Temp\POvnsqt.exe
-
C:\Users\Admin\AppData\Local\Temp\ac.exe
-
C:\Users\Admin\AppData\Local\Temp\ac.exe
-
C:\Users\Admin\AppData\Local\Temp\ds1.exe
-
C:\Users\Admin\AppData\Local\Temp\ds1.exe
-
C:\Users\Admin\AppData\Local\Temp\ds2.exe
-
C:\Users\Admin\AppData\Local\Temp\ds2.exe
-
C:\Users\Admin\AppData\Local\Temp\rc.exe
-
C:\Users\Admin\AppData\Local\Temp\rc.exe
-
C:\Users\Admin\AppData\Local\Temp\zTkUsfmOzZ.exe
-
C:\Users\Admin\AppData\Local\Temp\zTkUsfmOzZ.exe
-
\ProgramData\mozglue.dll
-
\ProgramData\nss3.dllMD5
bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66
-
\ProgramData\sqlite3.dll
-
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\freebl3.dll
-
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\freebl3.dll
-
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\freebl3.dll
-
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\mozglue.dll
-
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\nss3.dllMD5
02cc7b8ee30056d5912de54f1bdfc219
SHA1a6923da95705fb81e368ae48f93d28522ef552fb
SHA2561989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5
SHA5120d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5
-
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\softokn3.dll
-
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\softokn3.dll
-
\Users\Admin\AppData\LocalLow\sqlite3.dll
-
\Users\Admin\AppData\Local\Temp\ED70460B\mozglue.dll
-
\Users\Admin\AppData\Local\Temp\ED70460B\msvcp140.dll
-
\Users\Admin\AppData\Local\Temp\ED70460B\nss3.dllMD5
556ea09421a0f74d31c4c0a89a70dc23
SHA1f739ba9b548ee64b13eb434a3130406d23f836e3
SHA256f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb
SHA5122481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2
-
\Users\Admin\AppData\Local\Temp\ED70460B\vcruntime140.dll
-
memory/496-73-0x0000000000000000-mapping.dmp
-
memory/676-77-0x0000000000000000-mapping.dmp
-
memory/1012-48-0x0000000000000000-mapping.dmp
-
memory/1136-129-0x0000000000403BEE-mapping.dmp
-
memory/1136-126-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/1528-62-0x0000000000000000-mapping.dmp
-
memory/1604-79-0x0000000004F60000-0x0000000004F61000-memory.dmpFilesize
4KB
-
memory/1604-101-0x00000000055A0000-0x00000000055A1000-memory.dmpFilesize
4KB
-
memory/1652-94-0x0000000000000000-mapping.dmp
-
memory/1652-80-0x0000000000000000-mapping.dmp
-
memory/1652-92-0x0000000000000000-mapping.dmp
-
memory/1652-90-0x0000000000000000-mapping.dmp
-
memory/1652-95-0x0000000000000000-mapping.dmp
-
memory/1652-88-0x0000000000000000-mapping.dmp
-
memory/1652-86-0x0000000000000000-mapping.dmp
-
memory/1652-84-0x0000000000000000-mapping.dmp
-
memory/1652-97-0x0000000000000000-mapping.dmp
-
memory/1652-82-0x0000000000000000-mapping.dmp
-
memory/1652-56-0x0000000000000000-mapping.dmp
-
memory/1828-98-0x0000000000000000-mapping.dmp
-
memory/1828-91-0x0000000000000000-mapping.dmp
-
memory/1828-83-0x0000000000000000-mapping.dmp
-
memory/1828-81-0x0000000000000000-mapping.dmp
-
memory/1828-96-0x0000000000000000-mapping.dmp
-
memory/1828-85-0x0000000000000000-mapping.dmp
-
memory/1828-59-0x0000000000000000-mapping.dmp
-
memory/1828-87-0x0000000000000000-mapping.dmp
-
memory/1828-99-0x0000000000000000-mapping.dmp
-
memory/1828-89-0x0000000000000000-mapping.dmp
-
memory/1828-93-0x0000000000000000-mapping.dmp
-
memory/2020-40-0x0000000000000000-mapping.dmp
-
memory/2432-63-0x0000000000000000-mapping.dmp
-
memory/2636-64-0x0000000000000000-mapping.dmp
-
memory/2820-123-0x0000000000000000-mapping.dmp
-
memory/2820-67-0x0000000000000000-mapping.dmp
-
memory/2820-128-0x0000000000000000-mapping.dmp
-
memory/2820-125-0x0000000000000000-mapping.dmp
-
memory/2820-121-0x0000000000000000-mapping.dmp
-
memory/2820-119-0x0000000000000000-mapping.dmp
-
memory/2820-117-0x0000000000000000-mapping.dmp
-
memory/2820-115-0x0000000000000000-mapping.dmp
-
memory/2820-114-0x0000000000000000-mapping.dmp
-
memory/2892-12-0x0000000000400000-0x0000000000497000-memory.dmpFilesize
604KB
-
memory/2892-14-0x000000000043FA98-mapping.dmp
-
memory/2892-18-0x0000000000400000-0x0000000000497000-memory.dmpFilesize
604KB
-
memory/3016-111-0x0000000000000000-mapping.dmp
-
memory/3016-109-0x0000000000000000-mapping.dmp
-
memory/3016-110-0x0000000000000000-mapping.dmp
-
memory/3016-70-0x0000000000000000-mapping.dmp
-
memory/3016-112-0x0000000000000000-mapping.dmp
-
memory/3016-113-0x0000000000000000-mapping.dmp
-
memory/3016-124-0x0000000000000000-mapping.dmp
-
memory/3016-116-0x0000000000000000-mapping.dmp
-
memory/3016-122-0x0000000000000000-mapping.dmp
-
memory/3016-118-0x0000000000000000-mapping.dmp
-
memory/3016-120-0x0000000000000000-mapping.dmp
-
memory/3236-78-0x0000000005030000-0x0000000005031000-memory.dmpFilesize
4KB
-
memory/3236-100-0x0000000005570000-0x0000000005571000-memory.dmpFilesize
4KB
-
memory/3424-74-0x0000000000000000-mapping.dmp
-
memory/3440-133-0x0000000000000000-mapping.dmp
-
memory/3492-53-0x0000000000000000-mapping.dmp
-
memory/3508-15-0x000000000041A684-mapping.dmp
-
memory/3508-13-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/3508-17-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/3840-127-0x0000000005410000-0x0000000005411000-memory.dmpFilesize
4KB
-
memory/3840-108-0x0000000005210000-0x0000000005211000-memory.dmpFilesize
4KB
-
memory/3840-106-0x0000000004E10000-0x0000000004E11000-memory.dmpFilesize
4KB
-
memory/3848-2-0x0000000000000000-mapping.dmp
-
memory/3856-50-0x0000000000000000-mapping.dmp
-
memory/3928-6-0x0000000000000000-mapping.dmp
-
memory/4036-22-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/4036-20-0x0000000000417A8B-mapping.dmp
-
memory/4036-19-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/4060-130-0x0000000004CB0000-0x0000000004CB1000-memory.dmpFilesize
4KB
-
memory/4060-107-0x00000000043C0000-0x00000000043C1000-memory.dmpFilesize
4KB